Statewatch
Annotated guide to the issues and documentation on mandatory
data retention in the EU

1. The Council
2. The European Commission
3. EU Data Protection Authorities
4. The European Parliament
5. Civil society

"If the security and intelligence agencies - who are
at the forefront in stopping terrorist attacks - need access
to the telecommunications data to be retained it is very hard
to believe that EU governments would have taken over four years
to come up with a proposal which will not come into effect for
at least two further years. If this is the case they would be
guilty of gross negligence and failure to protect the people
of Europe. However, if additional powers are needed they should
be strictly limited to dealing with terrorism and related offences."

"Revise
draft privacy directives that call for mandatory destruction
to permit the retention of critical data for a reasonable period."

It took two and
a half years for four member states (French Republic, Ireland,
the Kingdom of Sweden and the United Kingdom) to put forward
a proposal on 28 April 2004: 8958/05 (pdf). Between 28 April
2004 and 31 May 2005 six versions of the proposals were available
on the Council's register of documents, eight were partially
accessible ("PA", with the names of member states blanked
out so that no-one could see what their governments were arguing)
and one was not accessible. Between 1 June and 25 October 2005
there are no less than 13 substantive Council drafts, none
of which are publicly available on the Council's register of
documents.

The latest full
draft of the Council's proposal, dated 10 October 2005: 12894/1/05 - this shows that there
were major reservations by many member states on issues of substance.
For example:

"In order
to address the reservations in relation to Internet data, the
Presidency had proposed a compromise package whereby "Internet
chat" was included in Article 2(2) along with the wording
proposed by FI ("provided by publicly available electronic
communications service providers"). In conjunction with
that, a "review clause" was inserted in Article 8.
Several delegations (IT/HU/ES/CZ) could accept or supported the
Presidency proposal. Others wanted to go further and include
logs of web browsing, Internet chat and peer-to-peer communications
(BE/SW/LT/DK). However AT/FI/LV/DE/FR/IE/GR/SK/EE could not accept
the inclusion of Internet chat or other Internet data types expressing
concern that the inclusion of such data might have an impact
on the costs incurred and / or require more in-depth consideration
in respect of a clear distinction between traffic data and content
data which might risk delaying discussions. They thought
that the outcome of the meeting of the Working Party in July
2005 reflected the minimum consensus and wanted to revert to
that wording. The proposed review clause met with acceptance."
(emphasis added)

The concern expressed
by nine governments over "a clear distinction between
traffic data and content data" has, under Article 8,
simply been deferred until 1 January 2008 when:

"The
Council shall thereafter review the list of data to be retained
in particular with reference to the possibility of including
additional types of Internet data."

A clear distinction
between access to traffic data and its content is thus blurred.

A further document,
24.10.05, shows the Council working on two tracks: 1) to try
and finally agree their own proposal and 2) proposing amendments
to the Commission draft Directive: 13624/05

The big issue,
which has obscured the debate over the substantive issues, is
the legal basis of the Council proposal. Both the Legal Services
of the Council and the European Commission said that the proposal
had to be split in two - the mandatory retention of data by service
providers coming under the TEC (Treaty establishing the European
Communities) where the European Parliament has powers of co-decision
(ie: the Council and parliament have to agree on the final text)
and access to the retained data by LEAs as a Framework Decision
under the TEU (where the parliament is only consulted). See:
Statewatch
report and the Opinions of the Legal Services. Both concluded that
if the Council were to pursue a single measure it would almost
certainly be challengeable in the Court of Justice. Indeed the
Council itself notes if adopted as a single measure it could:

"be annulled:
this could result in claims for compensation from any operator
who had already been obliged to implement the measure" (EU
doc no: 13036/05)

Although these
Opinions were dated 22 March 2005 (Commission) and 5 April 2005
(Council) the Council carried on for five months as if they did
not exist - only belatedly has the Council grudgingly suggested
that it might agree to back the Commission's draft Directive
on mandatory data retention, but only if agreement can be reached
with the European Parliament by the beginning of December (in
time for the Justice and Home Affairs Council on 1-2 December),
see, letter from UK Home Secretary, Charles Clarke, representing
the UK Council Presidency: Clarke letter to
Cavada
(Mr Cavada is chair of the parliament's Committee on Civil Liberties).

a. Outstanding
issues to be agreed by member states
b. The Council's proposed amendments to the Commission's draft
Directive
c. The latest version of the Council's draft Framework Decision
(to be read in conjunction with: 12894/1/05)

What is quite
extraordinary about the Council's demand that the European Parliament
rush the meaure is that the Council has not even agreed its own
final text.

2. The European
CommissionThe
Commission placed on record its reservation about the legal basis
of the Council's proposal in autumn 2004. Once the legal opinions
of both institutions were published it was only a matter of time
before the Commission put forward its own proposal, which it
did on 21 September 2005: Commission
proposal for a Directive and Commission
Extended Impact Assessment

The Commission's
proposal differs from that of the Council in terms of scope.
While the Council's proposal covers:

"the
purpose of investigation, detection and prosecution of criminal
offences.

the Commission
says it should cover:

"the
purpose of the prevention, investigation, detection and prosecution
of serious criminal offences, such as terrorism and organised
crime."

The scope of
the Commission's definition is more limited but as "serious
criminal offences" are today defined by the EU very broadly
it is a major extension from covering terrorism and directly
related offences.

What is worthy
of note is that the powers under the UK's Anti-Terrorism, Crime
and Security Act, passed in 2001, the scope of the retention
of data by service and network providers is strictly limied to
"national security" and offences "directly or
indirectly related to it. Under
the Act the Home Secretary can request the retention of data:

"(a)
for the purpose of safeguarding national security: or
(b) for the purpose of prevention or detection of crime or the
prosecution of offenders which may relate directly or indirectly
to national security" (Section 102.3, emphasis added)

The Commission's
proposal is also:

" far
more invasive than the Council proposal. The Commission defines
'communication' as involving "any information exchanged
or conveyed between a finite number of parties by means of a
publicly available electronic communications service". Therefore
the Commission is proposing the tracing of all forms of Internet
transactions. This means that communications service providers
could be compelled to store their mail server logs, web cache
logs, and IP flow logs[4] for six months without any regard to
necessity or proportionality." (NGO letter to MEPs, 26.9.05)

The Commission's
proposal utterly fails to deal with data protection. As its proposal
comes under the "first pillar" (TEC) the personal data
retained by service and network providers comes under the 1995
Data Protection Directive. Its Extended Impact Assessment simply
asserts that as the 1995 Directive has been implemented by all
member states there is no need for any further provisions and
that "citizens can exercise their powers as granted under
these instruments" (p20). But what are the powers of the
citizens at national level? Do the powers and resources vary
from state to state?

Well the conclusion
of the only report on the operation of the 1995 Directive in
the member states was published in 2003: 1st report on the 1995 Directive and its Technical
report
The first report notes that there were variations in powers between
states, many data protection authorities were under-resourced
and patchy compliance by data controllers. It concludes that
if these tendencies are confirmed:

"they
are reasons for serious concern and reflections need to be undertaken
between the Commission and the Member States and the supervisory
authorities to determine their causes and design feasible solutions."

In particular
the report notes that:

"The
provisions containing safeguards have not been adopted by all
Member States. Where they exist, they are often unsatisfactory.
The situation is similar as regards Article 8 (4) and (5) - the
processing of sensitive data for reasons of public interest
or with regard to criminal convictions. The absence of safeguards
means the required level of protection for individuals is not
being met, which should be a matter of concern for the Member
States, as it is for the Commission." (emphasis added)

Whereas the justification
for the Commission's proposal on mandatory data retention is
to get rid of a "patchwork" of different powers in
member states, when it comes to data protection there is silence.
The 1995 Directive was implemented in the then members states
by 1998 since when there has been just one report whose reservations
has also been meet with an institutional silence. Moreover, with
the shift of responsibility for data protection from the Internal
Market DG to the so-called "Freedom, Justice and Security"
DG there is little prospect of any action, see: Data
protection handed to the DG for law, order and security

As noted above
the Council's proposal covers two areas: 1) the mandatory retention
of telecommunications data by service and network providers -
to which the Commission has responded with a proposed Directive
and 2) access to the retained data by law enforcement agencies
and the exchange of that data between them (and under the "principle
of availability" to non-EU states too) - however, the
Commission has yet to published a proposal for a Framework Decision
on this second aspect. It is hard to see how the European Parliament
can properly consider the first proposal without having sight
of, and time to consider, the second one.

The European
Parliament should seeks to effect all the recommended amendments
proposed by these two bodies.

4. The European ParliamentThe first battle for the European Parliament was to
insist that the Council proposal be dropped - due to its faulty
legal basis - and for two proposals to be presented. One based
on the mandatory retention of data under the TEC, on which it
has powers of co-decision, and another on access to the data
and its transfer under the TEU on which it is only consulted.

European Digital
Rights (EDRI) report that Charles Clarke was not at his most
diplomatic when he addressed the Committee on Civil Liberties
on 13 October. He told the Committee that if they did not agree
the proposal before December Justice and Home Affairs Council
(1-2 December) the Council would adopted their draft Framework
Decision. Moreover he is reported to have told MEPs that if parliament
failed to do this "he would make sure the European Parliament
would no longer have a say on any justice and home affairs matter".

As is clear from the Clarke
letter to Cavada
(UK Home Secretary, Charles Clarke, representing the UK Council
Presidency and Mr Cavada is chair of the parliament's Committee
on Civil Liberties) the Council is trying to blackmail the European
Parliament with the threat that it will go ahead with its own
Framework Decision. In his letter to Mr Cavada, Clarke says:

"the
Framework Decision will remain on the table, as an option favoured
by a large number of delegations. However, a majority of delegations
were also open to a Directive"

The Council is
saying if the Directive can be adopted "by the end of
the year" and the text matches their demands then they
will go down this path. In truth the Council has no choice
but to drop its proposal and go along with two draft measuresand it knows it.

Clarke's letter
to 17 October is slightly more conciliatory but contains the
same veiled threat of reverting to the original Council proposal.
He wants to work closely with the parliament "to maximise
common ground... by the end of the year". He ends by saying
that if all three institutions (Council, Commission and European
Parliament) cooperate it will:

"show
that we are serious about working together to make a difference
to the daily lives of our citizens"

A statement that
is ambiguous to say the least - the measure will certainly make
a difference, the question is what kind of difference?

At the meeting
in the European Parliament of the "Conference of Presidents"
(the Group leaders of the parties) on 20 October mandated Mr
Cavada and the committee to pursue negotiations with the Council.
Such "trilogue" meetings between the Council, Commission
and European Parliament representatives take place behind closed
doors.

The only way
the parliament can meet Charles Clarke's early December deadline
is through a first reading co-decision "deal" - by
agreeing a set of common amendments to the Commission draft Directive
which are then formally adopted by the Council and by the Committee
on Civil Liberties and then plenary session of the parliament
- this
"fast-track" procedure is intended to deal with uncontroversial
measures, which is certainly not true in this case.

It should be
remember that the need for this proposal was agreed by the Council
over four years ago (20 September 2001) so it is to be hoped
that the parliament will not succumb to "inter-institutional"
pressure and take all the time necessary to ensure that the liberties
and privacy of the people of Europe are properly protected.

5. Civil societyCivil society - NGOs and groups working
on civil liberties, privacy, lawyers and journalists - have opposed
the measure from the start. They remain unconvinced as to the
need and are equally certain that if introduced the powers will,
on occasion, be misused and abused. They are not convinced that
EU data protection provisions will give any meaningful protection
to the individual, who will have no right to be told they have
been under surveillance - unless, of course, they are arrested
and charged. And if they have no "right to know" they
will have no right to correct the data or to be told which agencies
information on them has been passed and how it has been added
to (inside and outside the EU).

These views are exacerbated by the so-called "principle
of availability", invented under the Hague Programme, where
intelligence and information held by an agency in one member
state can be passed to that in another or to a non-EU state.

Where governments, officials and many parliamentarians are
inclined to place their trust in the law enforcement (and security)
agencies, concerned civil society see this measure as one of
many where these agencies will become self-regulating and unaccountable.

In September 2004 an Open Letter opposing mandatory data retention
was sent to the European Parliament from 170 groups/companies
- 90 NGOs and 80 telecoms companies: Open
letter on mandatory data retention

Among the main concerns are:

1. If the security and intelligence agencies - who are at
the forefront in stopping terrorist attacks - need access to
the telecommunications data to be retained it is very hard to
believe that EU governments would have taken over four years
to come up with a proposal which will not come into effect for
at least two further years. If this is the case they would be
guilty of gross negligence and failure to protect the people
of Europe. However, if additional powers are needed they should
be limited to dealing with terrorism and related offences.

2. The terrible terrorist attacks in the USA, Madrid and London
should not be used to justify placing all communications in the
EU under surveillance, making everyone a potential "suspect".
This is exactly what the EU governments (the Council) want to
do when they propose that the retained data can be used for any
suspected criminal offence, however minor.

3. The wholesale retention of all communications of everyone
is contrary to the findings of the European Court of Human Rights
(under Article 8). This interference with the privacy rights
of every user of European-based communications services cannot
be justified under the limited exceptions envisaged by Article
8 because it is neither consistent with the rule of law nor necessary
in a democratic society. The indiscriminate collection of traffic
data offends a core principle of the rule of law: that citizens
should have notice of the circumstances in which the State may
conduct surveillance, so that they can regulate their behaviour
to avoid unwanted intrusions. Moreover, the data retention requirement
would be so extensive as to be out of all proportion to the law
enforcement objectives served.

4. The question of cost has been fudged by the Council and
the Commission. What has not been highlighted is that service
and network providers will be asked to retain a lot more data
on each communication than they ever did for billing purpose.
The "institutional consensus" seems to be to leave
it to national decision-making whether government are going to
help pay for the storage and access to mountains of data or whether
the cost will be passed on to the customer. Either way we will
all end up paying for our own surveillance.

5. Even the USA has not proposed such a measure, nor will
it apply to a service providers from outside the EU.

6. The bottom line is, what kind of society do we want to
live in - one where democratic values and standards are maintained
in the face in terrorist attacks or one which no Western country
would have dared bring about during the Cold War?

"Therefore the European Parliament now faces a crucial
decision. Is this the type of society we would like to live in?
A society where all our actions are recorded, all of our interactions
may be mapped, treating the use of communications infrastructures
as criminal activity; just in case that it may be of use at some
point in the future by countless agencies in innumerable countries
around the world with minimal oversight and even weaker safeguards."
(NGO letter to MEPs,2.9.05)

Tony Bunyan,
Statewatch editor, comments:

"The
Council has failed to convince many of us of the need for this
measure. But it is good that on such a momentus issue - placing
all the communications of everyone under surveillance - that
the European Parliament has the full powers of co-decision. These
are powers it should use to the full:

1. The initiative
for this measure came out of the EU's reaction to 11 September
2001, its scope should thus be limited to terrorism and directly
related offences. If the security and intelligence agencies
- who are at the forefront in stopping terrorist attacks - need
access to the telecommunications data to be retained it is very
hard to believe that EU governments would have taken over four
years to come up with a proposal which will not come into effect
for at least two further years. If this is the case they would
be guilty of gross negligence and failure to protect the people
of Europe.

2. To call
on the Commission to prepare a report on data protection laws
and practices in all member states - the Commission says in its
proposal that nothing more is needed on data protection as this
is catered for in national laws, but what protection do these
laws provide and do they vary?

3. To introduce
amendments to put in place all the recommendations from the European
Data Protection Supervisor and the Article 29 Working Party on
data protection

4. To review
the critiques of NGOs and groups in civil society

The Council
has taken four years to bring forward this proposal and still
does not have its own agreed text. The European Parliament should
take all the time it needs to properly consider the measure for
this is what the people of Europe expect - to ensure that these
powers are strictly limited in scope and that their rights to
data protection and privacy are not endangered."

Statewatch does not
have a corporate view, nor does it seek to create one, the views
expressed are those of the author. Statewatch is not responsible
for the content of external websites and inclusion of a link
does not constitute an endorsement.